service_manifest.yml

name: Ancestry
version: $SERVICE_TAG
description: Signature-based Assemblyline service that focuses on file genealogy.
accepts: .*
rejects: empty|metadata/.*|uri/.*

stage: REVIEW
category: Static Analysis

file_required: false
timeout: 60
disable_cache: true
privileged: true

enabled: true
is_external: false
licence_count: 0
uses_tags: false
uses_tag_scores: false
uses_metadata: false
uses_temp_submission_data: true

config:
  signatures:
    exe_from_office_document:
      pattern: document/office/\w+,\w+(\|[a-z0-9/]+,\w+)*\|executable/windows/(?:pe|dll)(?:32|64),EXTRACTED
      score: 500
    exe_from_code:
      pattern: code/\w+,\w+(\|[a-z0-9/]+,\w+)*\|(executable/windows/(?:pe|dll)(?:32|64)|shortcut/\w+),\w+
      score: 500
    onenote_to_passwordprotected_archive:
      pattern: document/office/onenote,\w+\|code/html,\w+\|archive/\w+,\w+
      score: 500
    exe_from_unknown:
      pattern: unknown,\w+(\|[a-z0-9/]+,\w+)*\|(executable/windows/(?:pe|dll)(?:32|64)|code/(ps1|batch)|shortcut/\w+),\w+
      score: 500
    ps1_from_javascript:
      pattern: code/(?:javascript|html|hta),\w+(\|[a-z0-9/]+,\w+)*\|code/ps1,\w+
      score: 500
    code_from_jscript_from_office_document:
      pattern: document/office/\w+,\w+\|.*\|code/(batch|javascript|jscript|vbe|ps1|wsf|wsc),EXTRACTED
      score: 500
    archive_from_javascript:
      pattern: code/(javascript|jscript|html|hta|wsf|wsc),\w+\|archive/\w+,EXTRACTED
      score: 500

heuristics:
  - name: "Suspicious File Ancestry"
    heur_id: 1
    score: 0 # Score dictated by signatures
    description: "Signature hit on genealogy of current file"
    filetype: ".*"

docker_config:
  image: ${REGISTRY}cccs/assemblyline-service-ancestry:$SERVICE_TAG
  cpu_cores: 0.4
  ram_mb: 512